Latest Posts

Announcing disallow pwned passwords

Admins know it’s key that WordPress users have secure passwords to keep web security watertight. But do you know if your WordPress users are accessing your CMS with insecure ‘pwned’ passwords? And do you know the risk?

What is a pwned password?

Pwned passwords are over seven billion real-world passwords that have been exposed in data breaches. This exposure makes them unsuitable for use as they’re at much greater risk of being used to take over other accounts. They’re searchable online at the Have I Been Pwned database.

What’s the risk?

People using pwned passwords can pose a serious risk to your cybersecurity. When hackers undertake a brute force attack – using passwords to take personal information or spend users’ hard earned money through your site – it’s usually the site owner/developer who gets the blame.

The National Institute of Standards and Technology has issued guidelines for federal agencies implementing digital identity services, which state:

When processing requests to establish and change memorised secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. For example… * Passwords obtained from previous breach corpuses